Merge pull request #333 from originalworks/use-secrets-manager-for-blobs-batch-sender

cezary-stroczynski · web-flow · commit 4d37f35003dd · 2025-11-25T12:53:23.000+01:00
Use secrets manager for blobs batch sender
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/aws/blobs_batch_sender/Cargo.toml b/aws/blobs_batch_sender/Cargo.toml
@@ -15,3 +15,4 @@ serde = { workspace = true }
 serde_json = { workspace = true }
 aws-sdk-s3 = "1.98.0"
 alloy = { version = "1.0.32", features = ["full"] }
+aws-sdk-secretsmanager = "1.95.0"
diff --git a/aws/blobs_batch_sender/src/main.rs b/aws/blobs_batch_sender/src/main.rs
@@ -1,11 +1,15 @@
 mod contract;
 mod event_handler;
 mod s3;
+mod secrets;
 use event_handler::function_handler;
 use lambda_runtime::{Error, run, service_fn, tracing};
 
+use crate::secrets::set_secret_envs;
+
 #[tokio::main]
 async fn main() -> Result<(), Error> {
+    set_secret_envs().await?;
     tracing::init_default_subscriber();
     run(service_fn(function_handler)).await
 }
diff --git a/aws/blobs_batch_sender/src/secrets.rs b/aws/blobs_batch_sender/src/secrets.rs
@@ -0,0 +1,40 @@
+use aws_config::{BehaviorVersion, meta::region::RegionProviderChain};
+use lambda_runtime::Error;
+use serde::{Deserialize, Serialize};
+use std::env;
+
+#[allow(non_snake_case)]
+#[derive(Debug, Serialize, Deserialize)]
+struct OwenSecretEnvs {
+    RPC_URL: String,
+    PRIVATE_KEY: String,
+}
+
+pub async fn set_secret_envs() -> Result<(), Error> {
+    let region_provider = RegionProviderChain::default_provider().or_else("us-east-1");
+    let aws_main_config = aws_config::defaults(BehaviorVersion::latest())
+        .region(region_provider)
+        .load()
+        .await;
+    let client = aws_sdk_secretsmanager::Client::new(&aws_main_config);
+    let owen_lambda_secrets_name = env::var("OWEN_LAMBDA_SECRETS_NAME")
+        .expect(format!("Missing env variable: OWEN_LAMBDA_SECRETS_NAME").as_str());
+
+    let response = client
+        .get_secret_value()
+        .secret_id(owen_lambda_secrets_name)
+        .send()
+        .await?;
+
+    let secrets_json_string = response
+        .secret_string()
+        .expect("Could not retrieve secret string from AWS SM");
+
+    let owen_secret_envs: OwenSecretEnvs = serde_json::from_str(secrets_json_string)?;
+    unsafe {
+        env::set_var("RPC_URL", owen_secret_envs.RPC_URL);
+        env::set_var("PRIVATE_KEY", owen_secret_envs.PRIVATE_KEY);
+    }
+
+    Ok(())
+}
diff --git a/aws/owen-infra/resources/owen-blobs-queue.yml b/aws/owen-infra/resources/owen-blobs-queue.yml
@@ -3,6 +3,15 @@ Transform: AWS::Serverless-2016-10-31
 Parameters:
   BlobsTempStorageBucketName:
     Type: String
+  OwenLambdaSecretsName:
+    Type: String
+  DdexSequencerAddress:
+    Type: String
+  SeoaAddress:
+    Type: String
+
+Conditions:
+  OverwriteDdexSequencerAddress: !Not [!Equals [!Ref DdexSequencerAddress, ""]]
 
 Resources:
   OwenBlobsQueue:
@@ -37,6 +46,13 @@ Resources:
       Environment:
         Variables:
           BLOBS_TEMP_STORAGE_BUCKET_NAME: !Ref BlobsTempStorageBucketName
+          OWEN_LAMBDA_SECRETS_NAME: !Ref OwenLambdaSecretsName
+          USE_KMS: false
+          S_EOA_ADDRESS: !Ref SeoaAddress
+          DDEX_SEQUENCER_ADDRESS: !If
+            - OverwriteDdexSequencerAddress
+            - !Ref DdexSequencerAddress
+            - !Ref "AWS::NoValue"
 
   MyLambdaEventSourceMapping:
     Type: AWS::Lambda::EventSourceMapping
@@ -79,6 +95,13 @@ Resources:
                   - s3:GetObject
                   - s3:ListBucket
                 Resource: !Sub "${BlobsTempStorage.Arn}/*"
+        - PolicyName: OwenLambdaSecretsAccess
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: secretsmanager:GetSecretValue
+                Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${OwenLambdaSecretsName}*"
 
   BlobsTempStorage:
     Type: AWS::S3::Bucket
diff --git a/aws/owen-infra/template-config-dev.json b/aws/owen-infra/template-config-dev.json
@@ -13,6 +13,7 @@
         "Environment": "development",
         "OwenLambdaSecretsName": "OwenLambdaSecretsDev",
         "DdexSequencerAddress": "75AbeCf07C26368F0f4AA0b0d3637A732E25467e",
-        "StorachaBridgeUrl": "https://lwdrum6osj.execute-api.us-east-1.amazonaws.com/stage/"
+        "StorachaBridgeUrl": "https://lwdrum6osj.execute-api.us-east-1.amazonaws.com/stage/",
+        "SeoaAddress": "18f6d8e8b6b72bd9088dd452c63af0a79e2b58b3"
     }
 }
diff --git a/aws/owen-infra/template.yml b/aws/owen-infra/template.yml
@@ -39,6 +39,8 @@ Parameters:
   BlobsTempStorageBucketPrefix:
     Default: owen-blobs-temp-storage
     Type: String
+  SeoaAddress:
+    Type: String
 
 Conditions:
   ShouldCreateNewBucket: !Equals [!Ref CreateNewBucket, "true"]
@@ -281,3 +283,6 @@ Resources:
       Location: ./resources/owen-blobs-queue.yml
       Parameters:
         BlobsTempStorageBucketName: !Sub "${BlobsTempStorageBucketPrefix}-${Environment}"
+        OwenLambdaSecretsName: !Ref OwenLambdaSecretsName
+        DdexSequencerAddress: !Ref DdexSequencerAddress
+        SeoaAddress: !Ref SeoaAddress

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`	`"Environment": "development",`
`14`	`14`	`"OwenLambdaSecretsName": "OwenLambdaSecretsDev",`
`15`	`15`	`"DdexSequencerAddress": "75AbeCf07C26368F0f4AA0b0d3637A732E25467e",`
`16`		`- "StorachaBridgeUrl": "https://lwdrum6osj.execute-api.us-east-1.amazonaws.com/stage/"`
	`16`	`+ "StorachaBridgeUrl": "https://lwdrum6osj.execute-api.us-east-1.amazonaws.com/stage/",`
	`17`	`+ "SeoaAddress": "18f6d8e8b6b72bd9088dd452c63af0a79e2b58b3"`
`17`	`18`	`}`
`18`	`19`	`}`